Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD

Here is a little that IT Planners/Designers and especially administrator will be interested in. It’s something that, in all my years managing\designing\deploying AD environments, I've been asked over and over. Sometimes for the wrong reason….

You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.

For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

Fine-grained password policies apply only to global security groups and user objects. (inetOrgPerson objects if they are used instead of user objects). Fine-grained password policy cannot be applied to an organizational unit (OU) directly.

Other considerations are:

Only members of the Domain Admins group can set fine-grained password policies. but this can be delegated.

3- In the “Create Password Policy” UI, fill all the fields that are appropriate.

I suggest descriptive names and description of why you create a new policy, how the policy differ from the default Password policy. And what group it will apply to. Just so you know why you did that when you review it down the road. (It could even say “because my boss made me do it…”)

4- Click the add button in the “Directly Applies To” section and select the Global Group you want to target.